Feuer sues Uber over failure to disclose data breach

Los Angeles City Attorney Mike Feuer on Monday filed a lawsuit against Uber Technologies alleging the company violated the California Unfair Competition Law when it failed to disclose that hackers compromised its computer system in November 2016 and stole the personal information of approximately 57 million users worldwide.

Los Angeles City Attorney Mike Feuer outlined his lawsuit against Uber Technologies over a data breach in 2016. He was joined by Marissa Roy, a fellow in the city attorney’s office. (photo by Edwin Folven)

The California Unfair Competition Law requires that companies notify regulators and victims when a data breach is discovered and personal information is compromised. The lawsuit alleges that after Uber learned about the hacking a year ago, the ride-hailing company “hid the breach” and instead privately located two unidentified individuals allegedly responsible. The company paid them $100,000 in exchange for a promise to destroy the data and enter into non-disclosure agreements to “keep quiet” about the breach, Feuer said. Uber publicly announced the hacking on Nov. 21.

“We allege Uber violated California law, and public trust, when it hid the massive data breach,” Feuer said. “Uber and other companies holding vast amounts of private data need to safeguard it, and immediately come clean if the information is compromised.”

The hackers allegedly stole the names and driver’s license numbers of 600,000 Uber drivers. Uber issued a statement indicating that the hackers also may have downloaded some personal information about 57 million Uber customers around the world, including names, email addresses and phone numbers.

Because the data was allegedly destroyed, authorities are unclear how many people in the United States and specifically California were affected. Feuer said the lawsuit was filed to “hold the company accountable” and to prevent similar future data breaches. It seeks unspecified civil penalties to be imposed by the court.

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” said Uber CEO Dara Khosrowshahi. “The incident did not breach our corporate systems or infrastructure. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Khosrowshahi also outlined steps that Uber has taken to prevent future data breaches, including partnering with Matt Olsen, co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to create a system that will be more difficult for hackers to penetrate. The statement also reported that two employees who led Uber’s initial response to the hacking are no longer with the company. Uber did not identify the employees. The company is notifying all drivers whose information was illegally obtained and is offering them free credit monitoring and identity theft protection.

Feuer said Uber should have done more to prevent the hacking, particularly because of an earlier settlement the company reached in 2016 with the New York Attorney General’s Office over a different data breach dating to as early as 2014 in which hackers allegedly stole the personal information of drivers. That settlement also stemmed from a separate investigation into Uber using an internal tracking system to monitor customer’s trip destinations. The settlement required Uber to change policies about tracking customers, limiting the tracking only to “legitimate business purposes,” according to a statement from the New York Attorney General’s Office. It also stipulated more training for employees to better protect driver and customer privacy, and to adopt better protections for the storage, transfer and collection of data. Under the settlement, Uber paid a $20,000 fine for failing to notify government regulators and victims about the data breach.

“If any company should know better, it’s Uber, which reached a previous settlement after allegedly failing to provide timely notice to its users about an earlier security breach,” Feuer said.

The lawsuit was filed in Los Angeles County Superior Court and will be considered at a date to be determined.